Request new access token using refresh token in username-password grant in Spring Security OAuth2

spring spring-security oauth-2.0 access-token spring-security-oauth2
Pete picture Pete · Oct 29, 2013 · Viewed 42.2k times · Source

We're using the username-password grant to obtain an access token from our auth server. We want to refresh the access token before it expires using the provided refresh token until the user logs out or closes the client app.

However I just cannot find any examples of how to issue this refresh token request..

To obtain the token we call something like:

curl -v --data "grant_type=password&username=user&password=pass&client_id=my_client" http://localhost:8080/oauth/token

So to refresh I'd expect the call to look like this:

curl -v --data "grant_type=refresh_token&access_token=THE_ACCESS_TOKEN&refresh_token=THE_REFRESH_TOKEN" http://localhost:8080/oauth/token

or maybe 

curl -v -H "Authorization: Bearer THE_ACCESS_TOKEN" --data "grant_type=refresh_token&refresh_token=THE_REFRESH_TOKEN" http://localhost:8080/oauth/token

But it will just give me a 401..

Oh yeah, maybe I need to add the clientId? I cannot use the client secret, because there is none (see above request to obtain the token). Authentication is done using username and password after all..

I think we have the server configuration right, so I'll not post it here. If one of my example requests should work and you need to see the important config parts I'll add them.

Thanks!

Answer

Pete picture Pete · Oct 31, 2013

So as I said, we don't use a client secret, because we cannot have that hanging around in the Javascript client app. And it's not needed anyway, when using the username-password grant. (See the way we request the access token). Indeed I was close to the solution and finally figured it out:

curl -v --data "grant_type=refresh_token&client_id=THE_CLIENT_ID&refresh_token=THE_REFRESH_TOKEN" http://localhost:8080/oauth/token

so no need for the access token or the client secret.

Over all it feels safe enough.

  • We don't store any secret on the client app side.
  • The users always need a password to log in and can only see their resources.
  • We limit the validity of the refresh token to a realistic time like a workday or something so that even if it is compromised the window for an attacker is limited while still allowing the user to conveniently stay connected to the resource server throughout a long session.

Related questions

How to use RemoteTokenService?

I have a separate ResourceServer built using Spring-Security-oauth2. Here is the code RemoteTokenService. @Bean public ResourceServerTokenServices tokenService() { RemoteTokenServices tokenServices = new RemoteTokenServices(); tokenServices.setClientId("sample_test_client_app"); tokenServices.setClientSecret("secret"); tokenServices.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token"); return tokenServices; } When …

Read More
Allow OPTIONS HTTP Method for oauth/token request

I'm trying to enable oauth2 token fetching for my angular application. My configuration is working fine (authentication is working correctly for all requests, token fetching is working fine as well) but there is one problem. CORS requests require that before …

Read More
Spring Security OAuth2 check_token endpoint

I'm trying to setup a resource server to work with separate authorization server using spring security oauth. I'm using RemoteTokenServices which requires /check_token endpoint. I could see that /oauth/check_token endpoint is enabled by default when @EnableAuthorizationServer is …

Read More